Emerging Security for Mobile Devices using Biometrics

Biometrics for Low Power Mobile Devices Sujithra M

Dr.Padmavathi G

Assistant Professor, Dept of Computer Technology & Applications, Coimbatore Institute of Technology, Coimbatore, India

Professor & Head, Dept of Computer Science, Avinashilingam University Coimbatore, India

ABSTRACT: New dimension of Mobile devices knows as Smart phones and Tablets makes a revolution in the computing society. Most of the applications running on PC’s like banking, E-Commerce, Social Networking sites, Medical Applications , VPN are being deployed on Mobile devices. Hence security plays much an important role than earlier. Also, it necessitates reliable and easy use of securing the unauthorized access and diverse attacks to the data. It is preferred to apply biometrics for the security of Mobile devices and improve reliability. As an emerging technology, the paper discusses the various biometric traits used in mobile devices, concepts, issues, and challenges with security in mobile accesses. Keywords: Biometrics, Recognition, Authentication, Mobile Devices, Security

1. Introduction to Biometrics Biometrics is a method of recognizing a person based on his/her unique identification. Biometric identification is often used in large-scale systems such as computer systems security, secure E-banking, Mobile devices, smart cards, credit cards, secure access to buildings, health and social services. Biometric system refers to the automatic recognition of individuals based on their physiological and/or behavioral characteristics. It is generally a pattern recognition system that makes a personal identification by establishing the authenticity of an individual [1]. The paper mainly focuses on various biometrics traits, its strengths, limitations and performance on mobile devices. Authentication using biometric characteristics is more convenient because they cannot be forgotten, lost, or stolen which ensures the physical presence of the user while offering a significantly higher security. Based on the applications such as financial transactions, Telemedicine monitoring, the characteristics are evaluated in the selection process of a particular trait in the biometric system [2]: Universality – The person using the biometric system should possess the specified biometric trait. Uniqueness – Measures the separation of the biometric trait from one individual to another Permanence – Resistance on aging factor of a biometric trait. Collectability – Process of acquiring the biometric trait without causing inconvenience. Performance – Robustness, Accuracy of technology. Acceptability – Degree of approval of the biometric technology by the users. Circumvention – Easy use of an imitation of the biometric treat. Table 1.1 discusses the comparison between various biometric traits based on the above factors

2. Mobile Security Threats, Attacks

Circumvention

Performance

L M H L M M M L L M L M L H H

Collectability

H H H L H L M M H M M H H L M H L H H H L H M H M H H M H M M L L H L H M M M H M M M M M M M M H H H M H L L L L M L M H H H L L M M H H M H M H H M L H L L L L H L H M L L M L H Table 1.1 Comparison of various biometric technologies [3]

Permanence

Acceptability

DNA Ear Face Facial thermo gram Fingerprint Gait Hand geometry Hand vein Iris Keystroke Odor Palm print Retina Signature Voice

Distinctiveness

Biometric identifier

Universality

Mobile security discusses the security threats to data access in the Mobile device. Mobile devices have certain specific features which make these devices more vulnerable to security attacks such features are: • Mobility: Mobile devices can be taken to anywhere at any time. Chances of getting stolen, lost, or physically tempered • Strong Personalization: Generally mobile devices are not shared among multiple users. • Strong Connectivity: Mobile devices are always connected to other devices over the wireless networks. • Technology Convergence: Many attractive features integrated in the Mobile devices such as gaming, video, GPRS and internet browsing. • Limited Resources and Reduced Capabilities: Mobile devices have four major limitations: a) Limited battery life, b) limited computing power, c) very small display screen size, and d) very small sized keys for inputs [4]. Table 2.1 summarizes these features, attacks and security affects.

Attacks Causes (Features) Mobility

Attack Type Lost or theft device

Limited resources

DoS(Denial of Service)

Strong Connectivity Requirement

Viruses or worms (malware) Table 2.1 Attacks, Causes, and Affects. [4]

Mobile Security Affects Authentication, Confidentiality Data Integrity, Confidentiality, Availability Data Integrity, Confidentiality, and Charging

3. Implementation challenges in mobile security Because of the resource constraints in the mobile devices, implementing mobile security solutions must address the following needs and challenges in building mobile security. • Energy saving security solutions: The limited battery life and operation time requires mobile security solutions to be implemented in an energy saving approach. • Limited applications of existing security solutions: The limited computing capability and processing power of mobile devices restrict the applications of many existing complex security solutions, which require heavy processors. • Restricted size of screen and keyboard: It restricts the input and output capabilities of Mobile devices, which in turn cause some security related applications, for example, password protection may not be easy for mobile users. • Higher portability and inter-operation issues: Since mobile devices may be equipped with different mobile platforms and operation environments, mobile security technologies and solutions must be implemented with a higher portability to address interoperation issues. Although biometric technologies provide effective security solutions for mobile accesses, they have some limitations. For example, when thieves cannot get access to secure properties, there is a chance that they will stalk and assault the property owner to gain access. In 2005, Malaysian car thieves cut off the finger of a Mercedes-Benz S-Class owner when attempting to steal the car.

4. Biometrics on Mobile devices Era of Technology growth of using smart Mobile devices and i-phones, see Figure 4.1, for business transactions having high resolution cameras has given the possibility of using image processing applications for the authentication of individuals using mobile devices. It is reported that there are more than 4 billion cell phone users over the world and this number still continues to grow as predicted that by 2015 more than 86% of the world population will own at least one cell phone. [5] Mobile devices, with its unique features as small size, low cost, functional sensing platforms, computing power in addition to its wireless communication capability, is opening up new areas in biometrics that hold potentials for security of Mobile devices, the objective is to develop a reliable, portable real time Mobile Biometric System for identifying and authenticating individuals.

Fig 4.1 Worldwide Mobile devices Sales (in million), by technologies (Nokia Forum) [5] The current networked society of using mobile devices requires personal identification for its high level security. Comparing all other authentication methods such as possession-based and knowledge based, biometric authentication provides high level security since they cannot be forgotten, lost or stolen. It is efficient to apply biometrics for the security of Mobile devices. A biometric authentication system for a Mobile device will be used primarily in a verification mode when a biometric sample of the person trying to turn on or log in to the device is compared to that of a single rightful owner. The main goal of a mobile biometrics system is to identify and/ or verify individuals using Mobile devices [5].

Biometric identification is four-fold: • 1: N local identification – captures and search biometric identifier against a portable database stored on the handheld device, in situations where communications may be limited. • 1: N remote identification – perform searches of one or more biometric identifiers (i.e. fingerprints and iris) against remote databases using records transmitted securely from the device via wireless technology. • 1:1 local verification – match one or more biometric identifiers against other known records to verify that the two are the same using a smartcard, barcode or other secure credential. • 1:1 remote verification – match one biometric identifier against another stored at a remote location to verify identity and establish that the record is maintained in the database

5. Traits on Mobile devices (a) Fingerprint recognition: Finger print is one among the entire biometric trait used for identification which is based on ridges, space and valleys. Ridges and valleys are unique features for the person which claims the identity. Minutiae are where ridges begin, stop, fork or intersect. By extracting minutiae it is possible to extract the key features of fingerprint. Matching the minutiae, the number of ridge lines between the minutiae is used for personal identification. The owner’s template is created and stored in the mobile device itself. In the process of authentication, the features of live fingerprint are extracted from the mobile device and match it against the template which is already stored in the phone database. Widely used in the places requiring high level of security such as laboratories and military bases. By attaching a fingerprint scanner to the Mobile devices, this biometric could also be utilized for phone related security in a similar manner. The main drawback of using fingerprint with Mobile devices requires an external hardware scanner [6]. (b) Voice identification: Human voice is used to identify or authenticate the mobile users. Voice based biometric security system positively identifies and separates one individual from the other. It is capable to verify whether the person providing the voice inputs is the authorized person or not. It does so by comparing the voice input sample with a reference biometric, which is known as “reference voiceprint”. But sometimes due to some un- avoidable noises existing the environment will affect the authentication process. External noise present in the surrounding reduces the recognition rate [7].

(c) Face Recognition: Human face is used as a biometric trait for mobile users which requires a camera to capture the user’s facial image. Most Mobile devices are equipped with a camera. It is easy to capture the facial images with the limited memory storage on mobile devices. During enrollment, the extracted features are stored in the Database for registration. During verification, the extracted image is compared against the image stored in database. The advantage of this technology is that it doesn’t require any additional hardware because cameras already exist in most of the phones. To unlock the device it has to match user’s face captured by live camera against a saved portrait [8]. (d) Iris Recognition: Iris recognition is an effective biometric security approach which is using the human iris pattern as a biometric trait. Iris recognition technology is build based on the uniqueness of the iris with few characteristics such as rings, fibers, pits, freckles. The irises are different even in identical twins. Hence, iris recognition is considered as the most reliable biometric element for securing Mobile devices. The iris recognition based security technology in provides an option of storing iris code for both irises, so that during verification, the user is required to scan both eyes. A failure in matching both irises can trigger a security alarm or lockout the Mobile devices. As a biometric of high reliability and accuracy, iris recognition provides high level of security for cellular phone based services for example bank transaction service via Mobile devices [9]. (e) Gait Recognition: Mobile devices nowadays contain increasing amount of valuable personal information such as wallet and e-commerce applications. Therefore, the risk associated with losing Mobile devices is also increasing.

Gait, i.e., walking manner, is a distinctive characteristic for individuals. Gait recognition has been studied as a behavioral biometric for more than a decade, utilized either in an identification setting or in an authentication setting. The walking behavior is captured on video and video processing techniques are used for analysis, the Floor Sensor (FS) based gait recognition by placing sensors in the floor that can measure force and using this information for analysis and Wearable Sensor (WS) based gait recognition, in which scenario the user wears a device that measures the way of walking and recognize the pattern recognition for recognition purposes. The challenges of the method come from effect of changes in shoes, ground and the speed of walking. Drunkenness and injuries also affect performance of gait recognition [10].

6. Comparison of various Biometric Traits AttributesVS.Differe nt Security Solutions Types of Biometric Required Hardware

Finger print Image based Fingerprint sensor hardware

Affecting Factors

Cleanliness and the pressure of the fingers. Severe injury of fingers

Accuracy (Success Rate)

High or very high (up to 81%)

Limitations Ease of Use Cost

Voice Identification

Face Identification

Iris Recognition

Gait Recognition

Image based.

Image based

Digital camera

Digital camera

Voice based Any standard telephone Ages and behavior like cold, and mood Surrounding noise/sound

Image based Digital camera Lighting, weather, and coverage of the face.

Usage of reading glasses, sun glasses, and health issue with eyes can affect Iris recognition

Medium (N/A)

Medium High (69%)

Very High (up to 96%)

Input voice Capturing the iris quality and Facial image image may need users’ speech quality some practice. patterns High High Medium Low Low Low Low High Table 6.1 Comparison between Different Biometric Security Solutions [11] The quality of fingerprint images

Drunkenness Injuries Speed of walking

Medium Holding accelerometers in different places and positions Low High

Except from these traits, more number of biometric traits could be implemented on Mobile devices. Comparing all those traits, iris recognition is considered as the best trait used for authentication in Mobile devices. Since iris pattern are unique in nature with high accuracy and robustness. Generally, several key factors should be considered when implementing such biometrics within Mobile devices [11]. These factors will include user preference, accuracy and the intrusiveness of the application process. Table 6.1 illustrates how these factors vary for different types of biometrics.

7. Biometric System Methodology This section explains about the Biometric system methodology. The basic processes of a biometric system are: Enrolment: Process through which the raw biometric data is captured. Depending on the technology being implemented, the data captured could be a facial image, a fingerprint, voice data, iris etc. Feature extraction: The stage in which the raw data acquired during enrolment is processed to locate and encode the distinctive characteristics on which the system operates. Template creation: A template is “a small file derived from the distinctive features of a user’s biometric data” [12]. It is considered as the building block of a biometric system, and in most cases templates are proprietary to each vendor and technology. Templates can occur in two forms: (i) Enrolment templates: Generated during the user’s first interaction with the system and stored in the enrolment database for future use.

(ii)

Match templates: Generated during identification or authorization attempts, to be compared against enrolment templates, and generally discarded after the matching process. This will lead to two different states called Positive Match which indicates a person is who he/she says he/she and Negative Match which occurs when an authorized user is rejected.

8. Performance Evaluation This section describes the various parameters for measuring the performance of any biometric authentication techniques. In the process of Biometric matching, a match template is compared against an enrolment template to determine the degree of correlation. The matching process results in a score that is compared against a threshold value. If the score exceeds the threshold then the result is a match, otherwise it is considered a mismatch [13]. When an imposter is accepted as an authorized user, accuracy of the imposter is measured using the metrics False Acceptance Rate (FAR), False Rejection Rate (FRR), Total Success Rate (TSR). Accuracy is the most critical characteristic of a biometric identifying verification system. If the system cannot accurately separate authentic persons from impostors, it should not even be termed a biometric identification system. False Reject Rate: FRR is the probability that the system fails to match with input pattern and the template in the database. The rate generally stated as a percentage, at which authentic, enrolled persons are rejected as unidentified or unverified persons by a biometric system is termed the false reject rate. However, in other biometric applications, it may be the most important error. False rejections also have a negative effect on throughput, frustrations, and unimpeded operations because they cause unnecessary delays in personnel movements. [9] Thus FRR is calculated as FRR = False Accept Rate: FAR is the probability that the system incorrectly matches the input pattern to a non matching template in the database. The rate generally stated as a percentage, at which enrolled or impostor persons are accepted as authentic, enrolled persons by a biometric system is termed the false accept rate. FAR is calculated according to the formula, [13] FAR = Thus, the total Success Rate of the biometric system is calculated as

The biometric system error rate is represented in the following graph [11]

Figure 8.1: Biometric System Error Rates The above graph shows the performance of the system based on the matching score between two images and the probability of error occurrence like False Non-Match and False Match. Matching score quantifies the similarity between the biometric input and the database template. It is compared with the acceptance decision

threshold, if matching score is greater than or equal to decision threshold, then compared samples belong to the same person. Imposter distribution is the score generated from the pair of samples from different person. Genuine distribution is the score generated from the pair of samples from same person. [14]

9. Conclusion Mobile devices are prime targets for theft because of their increasing higher-end functionalities, which makes them more attractive. The paper discusses the need for security on mobile devices, security solutions and technologies used. Biometric is the most efficient way to secure one’s individual information on Mobile devices. The various biometric traits used are fingerprint, face recognition, signature, keystroke, voice, gait and Iris. Particularly iris way of security is better for the low power mobile devices because of its reliability and accuracy compared to other biometrics such as face, fingerprint and voice recognition even though these traits also do not need a additional hardware for recognition. These biometric security systems are not only making Mobile devices more secure but also easier to use and even more entertaining. It can be found that there is plenty of space in the coming era of Mobile devices based biometric technology.

REFERENCES [1] Kresimir Delac, Mislav Gregic, “A Survey of Biometric Recognition Methods”, 46th International Symposium Electronic in Marine, ELMAR-2004, 16-18 June 2004, Zadar, Croatia. [2] Jain A.K., Bolle R. and Pankanti S., “Biometrics: Personal identification in Networked Society”, eds. Kluwer Academic, 1999 [3] A. K. Jain, A. Ross, S. Prabhakar, “An introduction to biometric recognition”, IEEE Transactions on Circuits and Systems for Video Technology, Vol. 14, No. 1, pp. 4-20, January 2004. [4] [Mulliner 2006] C.R. Mulliner, “Security of smart phones”, Master’s thesis submitted to University of California, Santa Barbara, June 2006 [5] Tseng,D; Mudanyali, O;,Oztoprak.C;Isikman,S; Sencan,I;Yaglidere,O &Ozcan , A(2010), Lensfree Microscopy on a cell phone.Lab on a chip, vol .10, No.14,(july 2010),pp.1782-1792,ISSN 1473-0197. [6] Chen, X.; Tian, J.; Su, Q.; Yang, X. & Wang, F. (2005). A Secured Mobile devices Based on Embedded Fingerprint Recognition Systems. In: Intelligence and Security Informatics, Kantor, P. et al., (Eds.), pp. 549-553, Springer Berlin / Heidelberg, [7] Kounoudes, A.; Kekatos, V. & Mavromoustakos, S. (2006). Voice Biometric Authentication for Enhancing Internet Service Security. Proceedings of 2006 2nd InternationalConference on Telecommunication Technology and Applications, pp. 1020-1025, ISBN 0- 7803-9521-2, Damascus, Syria, April 24-28, 2006 [8] Jiangwei Li, Yunhong Wang, Tieniu Tan, A.K.Jain2., “Live Face Detection Based on the Analysis of Fourier Spectra”, Proceedings of SPIE, 2004. [9] Cho, D.; Park, D. & Rhee, D. (2005). Real-time Iris Localization for Iris Recognition in Cellular Phone. Proceedings of 2005 6th International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing and 1st ACIS International Workshop on Self-Assembling Wireless Networks, pp. 254-259, ISBN 0-7695-2294-7, Towson, Maryland, USA, May 23-25, 2005 [10] Mäntyjärvi, J.; Lindholm, M.; Vildjiounaite, E.; Mäkelä, S. & Ailisto, H. (2005). Identifying Users of Portable Devices from Gait Pattern with Accelerometers. Proceedings of 2005 30th IEEE International Conference on Acoustics, Speech and Signal Processing, pp. 973-976, ISBN 0-78038874-7, Philadelphia, Pennsylvania, USA, March 18-23, 2005 [11] Applied Biometric, “Biometric Comparison Table”, Retrieved on September 11, 2007 [12] Nanavati, Samir et al. “Biometrics: Identity Verification in a Networked World” Wiley Computer Publishing, New York, 2002 [13] Cernet "Characteristics of Biometric Systems". [14] Salil Prabhakar; Sharath Pankanti; Anil K. Jain “Biometric Recognition: Security and Privacy Concerns” , 2003,IEEE Security & Privacy